njrat | 0e4554928c58499fee3ecbf94846ef961957ed91a0d18c675d73dad6c9cb3de6 | Triage

Submit
Reports

Overview

overview

Static

static

lol.exe

windows10-1703-x64

Sharing

General

Target

lol.exe
Size

3.6MB
Sample

240523-q54qdadc6t
MD5

20bed1337f3a4fac4127076ad1a1fa67
SHA1

fe648d3c6f275b81080d1f30068f423cdb4a8a7a
SHA256

0e4554928c58499fee3ecbf94846ef961957ed91a0d18c675d73dad6c9cb3de6
SHA512

9da7adc1d495716ce6e1d5cfd78401fcafe32e92f59f377b4bd4c89c2f6d2754b9320d2ab59e48a02ed30f4ee65e7bf5d084d33d673a08e8c1b4a84e0716dd2b
SSDEEP

49152:WoGapAv1vYjUbQgvdkMgl2Zu7jfWL2ntzMqS1MhGc:WoGapAv1vYjWSMy7PlnVw1sB

Score

10^/10

njrat umbral discovery evasion persistence spyware stealer trojan

Static task

static1

5 signatures

Behavioral task

behavioral1

Sample

lol.exe

Resource

win10-20240404-en

discovery evasion persistence spyware stealer trojan

windows10-1703-x64

30 signatures

150 seconds

Malware Config

Targets

- Target
  
  lol.exe
- Size
  
  3.6MB
- MD5
  
  20bed1337f3a4fac4127076ad1a1fa67
- SHA1
  
  fe648d3c6f275b81080d1f30068f423cdb4a8a7a
- SHA256
  
  0e4554928c58499fee3ecbf94846ef961957ed91a0d18c675d73dad6c9cb3de6
- SHA512
  
  9da7adc1d495716ce6e1d5cfd78401fcafe32e92f59f377b4bd4c89c2f6d2754b9320d2ab59e48a02ed30f4ee65e7bf5d084d33d673a08e8c1b4a84e0716dd2b
- SSDEEP
  
  49152:WoGapAv1vYjUbQgvdkMgl2Zu7jfWL2ntzMqS1MhGc:WoGapAv1vYjWSMy7PlnVw1sB
Score

10^/10

discovery evasion persistence spyware stealer trojan
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Impair Defenses

Disable or Modify Tools

File and Directory Permissions Modification

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

discoveryevasionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy